Defining a Trust Level for your web application
Last weekend I worked on an assignment which consisted on determining how to read, write and delete files in a specific folder and to read, insert, update and delete records in an MS Access 2003 database in a Medium Trust Level on a shared hosting context. The client mislead the assignment by confusing the Trust Level set at Medium with his capabilities to accomplish the tasks.
First, the Trust is useful to isolate different applications in a shared hosting environment and to enhance the security by prohibiting web application to access the host system resources. A web server administrator would want to prevent a malicious web applications to access files or directories of other web applications such like the web.config file to read, say, the connection string to get access to confidential data. On the other hand, the web server administrator would want to prevent a good intended or not web application to access the hosting machine resources like the registry, the file system or event logs.
There are 6 different levels of trust you may use for different purposes:
- Full : the default configuration in a development environment
- High
- Medium : the usual setting for a production environment
- Low
- Minimal
- Custom* : you may define your own security policy
* This trust does not exist but may be defined and customized accordingly to your needs.
The trust is define in the web.config file of the Framework 2.0.50727.
<location allowOverride="true">
<system.web>
<securityPolicy>
<trustLevel name="Full" policyFile="internal"/>
<trustLevel name="High" policyFile="web_hightrust.config"/>
<trustLevel name="Medium" policyFile="web_mediumtrust.config"/>
<trustLevel name="Low" policyFile="web_lowtrust.config"/>
<trustLevel name="Minimal" policyFile="web_minimaltrust.config"/>
</securityPolicy>
<trust level="Full" originUrl=""/>
</system.web>
</location>
There are several remarks to be done here. First, the security policy may be overridden because the property allowOverride is set to true. Also, the trust is set to Full. To override the security policy, the web.config file of the web application must be modified as follow:
<system.web>
<trust level="Medium" originUrl=""/>
Inside the <system.web> node, add a trust element. Set its level to one of the level available.
The trust levels are defined in a config file in the %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG directory. The full trust level is a special case where the ASP.NET host does not apply any security and is therefore considered as having full trust on the local machine zone. It is mapped to an internal handler. The other trust levels are defined in files. The file has two main sections. The first define the security classes and the second the permission related to it.
To understand what is a Medium Trust Level, it is good to compare the web_mediumtrust.config file with the web_hightrust.config file. When comparing the two files, we remark the medium one has much less IPermission elements define. Also, some IPermission are much more restrictive. For instance, the medium FileIOPermission has read, write, append and PathDirectory only while the high FileIOPermission has unrestrictive permission.
You can write your own custom security file.
First, copy the %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG\web_mediumtrust.config and rename it to something like web_customtrust.config.
Second, open the new file and add, remove, modify the file to meet your needs. To add a new security, add a SecurityClass and add a IPermission.
Third, open the web.config file of the %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG\ directory. Add your custom policy.
<trustLevel name="Custom" policyFile="web_CustomTrust.config" />
Set the allowOverride to true.
Fourth, open the web.config file of your web application.
Fifth, inside the system.web node, add a trust node and set its trust level to Custom.
<system.web>
<trust level="Custom" originUrl=""/>
Another way to reference the custom trust file, is to add the web_CustomTrust.config file at the root of the web application. Then, in the web.config file, add the following nodes :
<location allowOverride="true">
<system.web>
<securityPolicy>
<trustLevel name="Custom" policyFile="web_CustomTrust.config" />
</securityPolicy>
<trust level="Custom" originUrl="" />
</system.web>
</location>
For more information on trust levels, I suggest you to read these articles:
From the MSDN Site (How To: Use Code Access Security in ASP.NET 2.0) this table is quite informative:
| Trust Level |
Key Capabilities and Restrictions |
| Full |
No restrictions imposed by code access security. |
| High |
No unmanaged code.
No enterprise services.
Can access Microsoft SQL Server and other OLE DB data sources.
Can send e-mail by using SMTP servers.
Very limited reflection permissions. No ability to invoke code by using reflection.
A broad set of other framework features are available. Applications have full access to the file system and to sockets. |
| Medium |
Permissions are limited to what the application can access within the directory structure of the application.
No file access is permitted outside of the application's virtual directory hierarchy.
Can access SQL Server.
Can send e-mail by using SMTP servers.
Limited rights to certain common environment variables.
No reflection permissions whatsoever.
No sockets permission.
To access Web resources, you must explicitly add endpoint URLs—either in the originUrl attribute of the <trust> element or inside the policy file. |
| Low |
Intended to model the concept of a read-only application with no network connectivity.
Read only access for file I/O within the application's virtual directory structure. |
| Minimal |
Execute only.
No ability to change the IPrincipal on a thread or on the HttpContext. |
Also, have a look at Table 4: Default ASP.NET Policy Permissions and Trust Levels on the same web page which will explain you what permissions are available at what level.
An exception may be raised if the defined trust level does not allow your action. It may look something like this:
Request for the permission of type 'System.Security.Permissions.FileIOPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed. mscorlib
This exception was raised because the FileIOPermission did not authorised the performed action.
Finally, the assignment I spoke of earlier was more about configuring a folder to give Modify permission (read, write, delete) and giving away a few piece of code on how to connect to a MS Access database to read, update, insert and delete records and on how to read, write and delete files a folder.
Best regards,
Patrice